2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
24 static LIST_HEAD(nf_tables_expressions);
27 * nft_register_afinfo - register nf_tables address family info
29 * @afi: address family info to register
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
34 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45 * nft_unregister_afinfo - unregister nf_tables address family info
47 * @afi: address family info to unregister
49 * Unregister the address family for use with nf_tables.
51 void nft_unregister_afinfo(struct nft_af_info *afi)
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
59 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
61 struct nft_af_info *afi;
63 list_for_each_entry(afi, &net->nft.af_info, list) {
64 if (afi->family == family)
70 static struct nft_af_info *
71 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
73 struct nft_af_info *afi;
75 afi = nft_afinfo_lookup(net, family);
80 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
81 request_module("nft-afinfo-%u", family);
82 nfnl_lock(NFNL_SUBSYS_NFTABLES);
83 afi = nft_afinfo_lookup(net, family);
85 return ERR_PTR(-EAGAIN);
88 return ERR_PTR(-EAFNOSUPPORT);
95 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
96 const struct nlattr *nla)
98 struct nft_table *table;
100 list_for_each_entry(table, &afi->tables, list) {
101 if (!nla_strcmp(nla, table->name))
107 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
108 const struct nlattr *nla)
110 struct nft_table *table;
113 return ERR_PTR(-EINVAL);
115 table = nft_table_lookup(afi, nla);
119 return ERR_PTR(-ENOENT);
122 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
124 return ++table->hgenerator;
127 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
129 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
133 for (i=0; i<NFT_CHAIN_T_MAX; i++) {
134 if (chain_type[family][i] != NULL &&
135 !nla_strcmp(nla, chain_type[family][i]->name))
141 static int nf_tables_chain_type_lookup(const struct nft_af_info *afi,
142 const struct nlattr *nla,
147 type = __nf_tables_chain_type_lookup(afi->family, nla);
148 #ifdef CONFIG_MODULES
149 if (type < 0 && autoload) {
150 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
151 request_module("nft-chain-%u-%*.s", afi->family,
152 nla_len(nla)-1, (const char *)nla_data(nla));
153 nfnl_lock(NFNL_SUBSYS_NFTABLES);
154 type = __nf_tables_chain_type_lookup(afi->family, nla);
160 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
161 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
162 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
165 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
166 int event, u32 flags, int family,
167 const struct nft_table *table)
169 struct nlmsghdr *nlh;
170 struct nfgenmsg *nfmsg;
172 event |= NFNL_SUBSYS_NFTABLES << 8;
173 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
175 goto nla_put_failure;
177 nfmsg = nlmsg_data(nlh);
178 nfmsg->nfgen_family = family;
179 nfmsg->version = NFNETLINK_V0;
182 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
183 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
184 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
185 goto nla_put_failure;
187 return nlmsg_end(skb, nlh);
190 nlmsg_trim(skb, nlh);
194 static int nf_tables_table_notify(const struct sk_buff *oskb,
195 const struct nlmsghdr *nlh,
196 const struct nft_table *table,
197 int event, int family)
200 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
201 u32 seq = nlh ? nlh->nlmsg_seq : 0;
202 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
206 report = nlh ? nlmsg_report(nlh) : false;
207 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
211 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
215 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
222 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
226 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
230 static int nf_tables_dump_tables(struct sk_buff *skb,
231 struct netlink_callback *cb)
233 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
234 const struct nft_af_info *afi;
235 const struct nft_table *table;
236 unsigned int idx = 0, s_idx = cb->args[0];
237 struct net *net = sock_net(skb->sk);
238 int family = nfmsg->nfgen_family;
240 list_for_each_entry(afi, &net->nft.af_info, list) {
241 if (family != NFPROTO_UNSPEC && family != afi->family)
244 list_for_each_entry(table, &afi->tables, list) {
248 memset(&cb->args[1], 0,
249 sizeof(cb->args) - sizeof(cb->args[0]));
250 if (nf_tables_fill_table_info(skb,
251 NETLINK_CB(cb->skb).portid,
255 afi->family, table) < 0)
266 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
267 const struct nlmsghdr *nlh,
268 const struct nlattr * const nla[])
270 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
271 const struct nft_af_info *afi;
272 const struct nft_table *table;
273 struct sk_buff *skb2;
274 struct net *net = sock_net(skb->sk);
275 int family = nfmsg->nfgen_family;
278 if (nlh->nlmsg_flags & NLM_F_DUMP) {
279 struct netlink_dump_control c = {
280 .dump = nf_tables_dump_tables,
282 return netlink_dump_start(nlsk, skb, nlh, &c);
285 afi = nf_tables_afinfo_lookup(net, family, false);
289 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
291 return PTR_ERR(table);
293 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
297 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
298 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
303 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
310 static int nf_tables_table_enable(struct nft_table *table)
312 struct nft_chain *chain;
315 list_for_each_entry(chain, &table->chains, list) {
316 err = nf_register_hook(&nft_base_chain(chain)->ops);
324 list_for_each_entry(chain, &table->chains, list) {
328 nf_unregister_hook(&nft_base_chain(chain)->ops);
333 static int nf_tables_table_disable(struct nft_table *table)
335 struct nft_chain *chain;
337 list_for_each_entry(chain, &table->chains, list)
338 nf_unregister_hook(&nft_base_chain(chain)->ops);
343 static int nf_tables_updtable(struct sock *nlsk, struct sk_buff *skb,
344 const struct nlmsghdr *nlh,
345 const struct nlattr * const nla[],
346 struct nft_af_info *afi, struct nft_table *table)
348 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
349 int family = nfmsg->nfgen_family, ret = 0;
351 if (nla[NFTA_TABLE_FLAGS]) {
354 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
355 if (flags & ~NFT_TABLE_F_DORMANT)
358 if ((flags & NFT_TABLE_F_DORMANT) &&
359 !(table->flags & NFT_TABLE_F_DORMANT)) {
360 ret = nf_tables_table_disable(table);
362 table->flags |= NFT_TABLE_F_DORMANT;
363 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
364 table->flags & NFT_TABLE_F_DORMANT) {
365 ret = nf_tables_table_enable(table);
367 table->flags &= ~NFT_TABLE_F_DORMANT;
373 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
378 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
379 const struct nlmsghdr *nlh,
380 const struct nlattr * const nla[])
382 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
383 const struct nlattr *name;
384 struct nft_af_info *afi;
385 struct nft_table *table;
386 struct net *net = sock_net(skb->sk);
387 int family = nfmsg->nfgen_family;
389 afi = nf_tables_afinfo_lookup(net, family, true);
393 name = nla[NFTA_TABLE_NAME];
394 table = nf_tables_table_lookup(afi, name);
396 if (PTR_ERR(table) != -ENOENT)
397 return PTR_ERR(table);
402 if (nlh->nlmsg_flags & NLM_F_EXCL)
404 if (nlh->nlmsg_flags & NLM_F_REPLACE)
406 return nf_tables_updtable(nlsk, skb, nlh, nla, afi, table);
409 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
413 nla_strlcpy(table->name, name, nla_len(name));
414 INIT_LIST_HEAD(&table->chains);
415 INIT_LIST_HEAD(&table->sets);
417 if (nla[NFTA_TABLE_FLAGS]) {
420 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
421 if (flags & ~NFT_TABLE_F_DORMANT) {
426 table->flags |= flags;
429 list_add_tail(&table->list, &afi->tables);
430 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
434 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
435 const struct nlmsghdr *nlh,
436 const struct nlattr * const nla[])
438 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
439 struct nft_af_info *afi;
440 struct nft_table *table;
441 struct net *net = sock_net(skb->sk);
442 int family = nfmsg->nfgen_family;
444 afi = nf_tables_afinfo_lookup(net, family, false);
448 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME]);
450 return PTR_ERR(table);
455 list_del(&table->list);
456 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
461 int nft_register_chain_type(struct nf_chain_type *ctype)
465 nfnl_lock(NFNL_SUBSYS_NFTABLES);
466 if (chain_type[ctype->family][ctype->type] != NULL) {
471 if (!try_module_get(ctype->me))
474 chain_type[ctype->family][ctype->type] = ctype;
476 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
479 EXPORT_SYMBOL_GPL(nft_register_chain_type);
481 void nft_unregister_chain_type(struct nf_chain_type *ctype)
483 nfnl_lock(NFNL_SUBSYS_NFTABLES);
484 chain_type[ctype->family][ctype->type] = NULL;
485 module_put(ctype->me);
486 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
488 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
494 static struct nft_chain *
495 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
497 struct nft_chain *chain;
499 list_for_each_entry(chain, &table->chains, list) {
500 if (chain->handle == handle)
504 return ERR_PTR(-ENOENT);
507 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
508 const struct nlattr *nla)
510 struct nft_chain *chain;
513 return ERR_PTR(-EINVAL);
515 list_for_each_entry(chain, &table->chains, list) {
516 if (!nla_strcmp(nla, chain->name))
520 return ERR_PTR(-ENOENT);
523 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
524 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
525 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
526 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
527 .len = NFT_CHAIN_MAXNAMELEN - 1 },
528 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
529 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
530 [NFTA_CHAIN_TYPE] = { .type = NLA_NUL_STRING },
531 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
534 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
535 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
536 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
539 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
541 struct nft_stats *cpu_stats, total;
545 memset(&total, 0, sizeof(total));
546 for_each_possible_cpu(cpu) {
547 cpu_stats = per_cpu_ptr(stats, cpu);
548 total.pkts += cpu_stats->pkts;
549 total.bytes += cpu_stats->bytes;
551 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
553 goto nla_put_failure;
555 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts)) ||
556 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)))
557 goto nla_put_failure;
559 nla_nest_end(skb, nest);
566 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
567 int event, u32 flags, int family,
568 const struct nft_table *table,
569 const struct nft_chain *chain)
571 struct nlmsghdr *nlh;
572 struct nfgenmsg *nfmsg;
574 event |= NFNL_SUBSYS_NFTABLES << 8;
575 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
577 goto nla_put_failure;
579 nfmsg = nlmsg_data(nlh);
580 nfmsg->nfgen_family = family;
581 nfmsg->version = NFNETLINK_V0;
584 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
585 goto nla_put_failure;
586 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
587 goto nla_put_failure;
588 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
589 goto nla_put_failure;
591 if (chain->flags & NFT_BASE_CHAIN) {
592 const struct nft_base_chain *basechain = nft_base_chain(chain);
593 const struct nf_hook_ops *ops = &basechain->ops;
596 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
598 goto nla_put_failure;
599 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
600 goto nla_put_failure;
601 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
602 goto nla_put_failure;
603 nla_nest_end(skb, nest);
605 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
606 htonl(basechain->policy)))
607 goto nla_put_failure;
609 if (nla_put_string(skb, NFTA_CHAIN_TYPE,
610 chain_type[ops->pf][nft_base_chain(chain)->type]->name))
611 goto nla_put_failure;
613 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
614 goto nla_put_failure;
617 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
618 goto nla_put_failure;
620 return nlmsg_end(skb, nlh);
623 nlmsg_trim(skb, nlh);
627 static int nf_tables_chain_notify(const struct sk_buff *oskb,
628 const struct nlmsghdr *nlh,
629 const struct nft_table *table,
630 const struct nft_chain *chain,
631 int event, int family)
634 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
635 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
636 u32 seq = nlh ? nlh->nlmsg_seq : 0;
640 report = nlh ? nlmsg_report(nlh) : false;
641 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
645 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
649 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
656 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
660 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
664 static int nf_tables_dump_chains(struct sk_buff *skb,
665 struct netlink_callback *cb)
667 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
668 const struct nft_af_info *afi;
669 const struct nft_table *table;
670 const struct nft_chain *chain;
671 unsigned int idx = 0, s_idx = cb->args[0];
672 struct net *net = sock_net(skb->sk);
673 int family = nfmsg->nfgen_family;
675 list_for_each_entry(afi, &net->nft.af_info, list) {
676 if (family != NFPROTO_UNSPEC && family != afi->family)
679 list_for_each_entry(table, &afi->tables, list) {
680 list_for_each_entry(chain, &table->chains, list) {
684 memset(&cb->args[1], 0,
685 sizeof(cb->args) - sizeof(cb->args[0]));
686 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
690 afi->family, table, chain) < 0)
703 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
704 const struct nlmsghdr *nlh,
705 const struct nlattr * const nla[])
707 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
708 const struct nft_af_info *afi;
709 const struct nft_table *table;
710 const struct nft_chain *chain;
711 struct sk_buff *skb2;
712 struct net *net = sock_net(skb->sk);
713 int family = nfmsg->nfgen_family;
716 if (nlh->nlmsg_flags & NLM_F_DUMP) {
717 struct netlink_dump_control c = {
718 .dump = nf_tables_dump_chains,
720 return netlink_dump_start(nlsk, skb, nlh, &c);
723 afi = nf_tables_afinfo_lookup(net, family, false);
727 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
729 return PTR_ERR(table);
731 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
733 return PTR_ERR(chain);
735 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
739 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
740 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
741 family, table, chain);
745 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
753 nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
755 switch (ntohl(nla_get_be32(attr))) {
757 chain->policy = NF_DROP;
760 chain->policy = NF_ACCEPT;
768 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
769 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
770 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
774 nf_tables_counters(struct nft_base_chain *chain, const struct nlattr *attr)
776 struct nlattr *tb[NFTA_COUNTER_MAX+1];
777 struct nft_stats __percpu *newstats;
778 struct nft_stats *stats;
781 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
785 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
788 newstats = alloc_percpu(struct nft_stats);
789 if (newstats == NULL)
792 /* Restore old counters on this cpu, no problem. Per-cpu statistics
793 * are not exposed to userspace.
795 stats = this_cpu_ptr(newstats);
796 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
797 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
800 /* nfnl_lock is held, add some nfnl function for this, later */
801 struct nft_stats __percpu *oldstats =
802 rcu_dereference_protected(chain->stats, 1);
804 rcu_assign_pointer(chain->stats, newstats);
806 free_percpu(oldstats);
808 rcu_assign_pointer(chain->stats, newstats);
813 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
814 const struct nlmsghdr *nlh,
815 const struct nlattr * const nla[])
817 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
818 const struct nlattr * uninitialized_var(name);
819 const struct nft_af_info *afi;
820 struct nft_table *table;
821 struct nft_chain *chain;
822 struct nft_base_chain *basechain = NULL;
823 struct nlattr *ha[NFTA_HOOK_MAX + 1];
824 struct net *net = sock_net(skb->sk);
825 int family = nfmsg->nfgen_family;
830 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
832 afi = nf_tables_afinfo_lookup(net, family, true);
836 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
838 return PTR_ERR(table);
840 if (table->use == UINT_MAX)
844 name = nla[NFTA_CHAIN_NAME];
846 if (nla[NFTA_CHAIN_HANDLE]) {
847 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
848 chain = nf_tables_chain_lookup_byhandle(table, handle);
850 return PTR_ERR(chain);
852 chain = nf_tables_chain_lookup(table, name);
854 if (PTR_ERR(chain) != -ENOENT)
855 return PTR_ERR(chain);
861 if (nlh->nlmsg_flags & NLM_F_EXCL)
863 if (nlh->nlmsg_flags & NLM_F_REPLACE)
866 if (nla[NFTA_CHAIN_HANDLE] && name &&
867 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
870 if (nla[NFTA_CHAIN_POLICY]) {
871 if (!(chain->flags & NFT_BASE_CHAIN))
874 err = nf_tables_chain_policy(nft_base_chain(chain),
875 nla[NFTA_CHAIN_POLICY]);
880 if (nla[NFTA_CHAIN_COUNTERS]) {
881 if (!(chain->flags & NFT_BASE_CHAIN))
884 err = nf_tables_counters(nft_base_chain(chain),
885 nla[NFTA_CHAIN_COUNTERS]);
890 if (nla[NFTA_CHAIN_HANDLE] && name)
891 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
896 if (nla[NFTA_CHAIN_HOOK]) {
897 struct nf_hook_ops *ops;
900 int type = NFT_CHAIN_T_DEFAULT;
902 if (nla[NFTA_CHAIN_TYPE]) {
903 type = nf_tables_chain_type_lookup(afi,
904 nla[NFTA_CHAIN_TYPE],
910 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
914 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
915 ha[NFTA_HOOK_PRIORITY] == NULL)
918 hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
919 if (hooknum >= afi->nhooks)
922 hookfn = chain_type[family][type]->fn[hooknum];
926 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
927 if (basechain == NULL)
930 basechain->type = type;
931 chain = &basechain->chain;
933 ops = &basechain->ops;
935 ops->owner = afi->owner;
936 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
937 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
940 if (afi->hooks[ops->hooknum])
941 ops->hook = afi->hooks[ops->hooknum];
943 chain->flags |= NFT_BASE_CHAIN;
945 if (nla[NFTA_CHAIN_POLICY]) {
946 err = nf_tables_chain_policy(basechain,
947 nla[NFTA_CHAIN_POLICY]);
949 free_percpu(basechain->stats);
954 basechain->policy = NF_ACCEPT;
956 if (nla[NFTA_CHAIN_COUNTERS]) {
957 err = nf_tables_counters(basechain,
958 nla[NFTA_CHAIN_COUNTERS]);
960 free_percpu(basechain->stats);
965 struct nft_stats __percpu *newstats;
967 newstats = alloc_percpu(struct nft_stats);
968 if (newstats == NULL)
971 rcu_assign_pointer(nft_base_chain(chain)->stats,
975 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
980 INIT_LIST_HEAD(&chain->rules);
981 chain->handle = nf_tables_alloc_handle(table);
983 chain->table = table;
984 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
986 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
987 chain->flags & NFT_BASE_CHAIN) {
988 err = nf_register_hook(&nft_base_chain(chain)->ops);
990 free_percpu(basechain->stats);
995 list_add_tail(&chain->list, &table->chains);
998 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
1003 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
1005 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
1007 BUG_ON(chain->use > 0);
1009 if (chain->flags & NFT_BASE_CHAIN) {
1010 free_percpu(nft_base_chain(chain)->stats);
1011 kfree(nft_base_chain(chain));
1016 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
1017 const struct nlmsghdr *nlh,
1018 const struct nlattr * const nla[])
1020 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1021 const struct nft_af_info *afi;
1022 struct nft_table *table;
1023 struct nft_chain *chain;
1024 struct net *net = sock_net(skb->sk);
1025 int family = nfmsg->nfgen_family;
1027 afi = nf_tables_afinfo_lookup(net, family, false);
1029 return PTR_ERR(afi);
1031 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE]);
1033 return PTR_ERR(table);
1035 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
1037 return PTR_ERR(chain);
1039 if (!list_empty(&chain->rules))
1042 list_del(&chain->list);
1045 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
1046 chain->flags & NFT_BASE_CHAIN)
1047 nf_unregister_hook(&nft_base_chain(chain)->ops);
1049 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
1052 /* Make sure all rule references are gone before this is released */
1053 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
1057 static void nft_ctx_init(struct nft_ctx *ctx,
1058 const struct sk_buff *skb,
1059 const struct nlmsghdr *nlh,
1060 const struct nft_af_info *afi,
1061 const struct nft_table *table,
1062 const struct nft_chain *chain,
1063 const struct nlattr * const *nla)
1065 ctx->net = sock_net(skb->sk);
1079 * nft_register_expr - register nf_tables expr type
1082 * Registers the expr type for use with nf_tables. Returns zero on
1083 * success or a negative errno code otherwise.
1085 int nft_register_expr(struct nft_expr_type *type)
1087 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1088 list_add_tail(&type->list, &nf_tables_expressions);
1089 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1092 EXPORT_SYMBOL_GPL(nft_register_expr);
1095 * nft_unregister_expr - unregister nf_tables expr type
1098 * Unregisters the expr typefor use with nf_tables.
1100 void nft_unregister_expr(struct nft_expr_type *type)
1102 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1103 list_del(&type->list);
1104 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1106 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1108 static const struct nft_expr_type *__nft_expr_type_get(struct nlattr *nla)
1110 const struct nft_expr_type *type;
1112 list_for_each_entry(type, &nf_tables_expressions, list) {
1113 if (!nla_strcmp(nla, type->name))
1119 static const struct nft_expr_type *nft_expr_type_get(struct nlattr *nla)
1121 const struct nft_expr_type *type;
1124 return ERR_PTR(-EINVAL);
1126 type = __nft_expr_type_get(nla);
1127 if (type != NULL && try_module_get(type->owner))
1130 #ifdef CONFIG_MODULES
1132 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1133 request_module("nft-expr-%.*s",
1134 nla_len(nla), (char *)nla_data(nla));
1135 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1136 if (__nft_expr_type_get(nla))
1137 return ERR_PTR(-EAGAIN);
1140 return ERR_PTR(-ENOENT);
1143 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1144 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1145 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1148 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1149 const struct nft_expr *expr)
1151 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1152 goto nla_put_failure;
1154 if (expr->ops->dump) {
1155 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1157 goto nla_put_failure;
1158 if (expr->ops->dump(skb, expr) < 0)
1159 goto nla_put_failure;
1160 nla_nest_end(skb, data);
1169 struct nft_expr_info {
1170 const struct nft_expr_ops *ops;
1171 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1174 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1175 const struct nlattr *nla,
1176 struct nft_expr_info *info)
1178 const struct nft_expr_type *type;
1179 const struct nft_expr_ops *ops;
1180 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1183 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1187 type = nft_expr_type_get(tb[NFTA_EXPR_NAME]);
1189 return PTR_ERR(type);
1191 if (tb[NFTA_EXPR_DATA]) {
1192 err = nla_parse_nested(info->tb, type->maxattr,
1193 tb[NFTA_EXPR_DATA], type->policy);
1197 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1199 if (type->select_ops != NULL) {
1200 ops = type->select_ops(ctx,
1201 (const struct nlattr * const *)info->tb);
1213 module_put(type->owner);
1217 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1218 const struct nft_expr_info *info,
1219 struct nft_expr *expr)
1221 const struct nft_expr_ops *ops = info->ops;
1226 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1238 static void nf_tables_expr_destroy(struct nft_expr *expr)
1240 if (expr->ops->destroy)
1241 expr->ops->destroy(expr);
1242 module_put(expr->ops->type->owner);
1249 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1252 struct nft_rule *rule;
1254 // FIXME: this sucks
1255 list_for_each_entry(rule, &chain->rules, list) {
1256 if (handle == rule->handle)
1260 return ERR_PTR(-ENOENT);
1263 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1264 const struct nlattr *nla)
1267 return ERR_PTR(-EINVAL);
1269 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1272 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1273 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1274 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1275 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1276 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1277 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1278 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1279 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1282 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1283 int event, u32 flags, int family,
1284 const struct nft_table *table,
1285 const struct nft_chain *chain,
1286 const struct nft_rule *rule)
1288 struct nlmsghdr *nlh;
1289 struct nfgenmsg *nfmsg;
1290 const struct nft_expr *expr, *next;
1291 struct nlattr *list;
1292 const struct nft_rule *prule;
1293 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1295 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1298 goto nla_put_failure;
1300 nfmsg = nlmsg_data(nlh);
1301 nfmsg->nfgen_family = family;
1302 nfmsg->version = NFNETLINK_V0;
1305 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1306 goto nla_put_failure;
1307 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1308 goto nla_put_failure;
1309 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1310 goto nla_put_failure;
1312 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1313 prule = list_entry(rule->list.prev, struct nft_rule, list);
1314 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1315 cpu_to_be64(prule->handle)))
1316 goto nla_put_failure;
1319 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1321 goto nla_put_failure;
1322 nft_rule_for_each_expr(expr, next, rule) {
1323 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1325 goto nla_put_failure;
1326 if (nf_tables_fill_expr_info(skb, expr) < 0)
1327 goto nla_put_failure;
1328 nla_nest_end(skb, elem);
1330 nla_nest_end(skb, list);
1332 return nlmsg_end(skb, nlh);
1335 nlmsg_trim(skb, nlh);
1339 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1340 const struct nlmsghdr *nlh,
1341 const struct nft_table *table,
1342 const struct nft_chain *chain,
1343 const struct nft_rule *rule,
1344 int event, u32 flags, int family)
1346 struct sk_buff *skb;
1347 u32 portid = NETLINK_CB(oskb).portid;
1348 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1349 u32 seq = nlh->nlmsg_seq;
1353 report = nlmsg_report(nlh);
1354 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1358 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1362 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1363 family, table, chain, rule);
1369 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1373 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1378 nft_rule_is_active(struct net *net, const struct nft_rule *rule)
1380 return (rule->genmask & (1 << net->nft.gencursor)) == 0;
1383 static inline int gencursor_next(struct net *net)
1385 return net->nft.gencursor+1 == 1 ? 1 : 0;
1389 nft_rule_is_active_next(struct net *net, const struct nft_rule *rule)
1391 return (rule->genmask & (1 << gencursor_next(net))) == 0;
1395 nft_rule_activate_next(struct net *net, struct nft_rule *rule)
1397 /* Now inactive, will be active in the future */
1398 rule->genmask = (1 << net->nft.gencursor);
1402 nft_rule_disactivate_next(struct net *net, struct nft_rule *rule)
1404 rule->genmask = (1 << gencursor_next(net));
1407 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
1412 static int nf_tables_dump_rules(struct sk_buff *skb,
1413 struct netlink_callback *cb)
1415 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1416 const struct nft_af_info *afi;
1417 const struct nft_table *table;
1418 const struct nft_chain *chain;
1419 const struct nft_rule *rule;
1420 unsigned int idx = 0, s_idx = cb->args[0];
1421 struct net *net = sock_net(skb->sk);
1422 int family = nfmsg->nfgen_family;
1423 u8 genctr = ACCESS_ONCE(net->nft.genctr);
1424 u8 gencursor = ACCESS_ONCE(net->nft.gencursor);
1426 list_for_each_entry(afi, &net->nft.af_info, list) {
1427 if (family != NFPROTO_UNSPEC && family != afi->family)
1430 list_for_each_entry(table, &afi->tables, list) {
1431 list_for_each_entry(chain, &table->chains, list) {
1432 list_for_each_entry(rule, &chain->rules, list) {
1433 if (!nft_rule_is_active(net, rule))
1438 memset(&cb->args[1], 0,
1439 sizeof(cb->args) - sizeof(cb->args[0]));
1440 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1443 NLM_F_MULTI | NLM_F_APPEND,
1444 afi->family, table, chain, rule) < 0)
1453 /* Invalidate this dump, a transition to the new generation happened */
1454 if (gencursor != net->nft.gencursor || genctr != net->nft.genctr)
1461 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1462 const struct nlmsghdr *nlh,
1463 const struct nlattr * const nla[])
1465 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1466 const struct nft_af_info *afi;
1467 const struct nft_table *table;
1468 const struct nft_chain *chain;
1469 const struct nft_rule *rule;
1470 struct sk_buff *skb2;
1471 struct net *net = sock_net(skb->sk);
1472 int family = nfmsg->nfgen_family;
1475 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1476 struct netlink_dump_control c = {
1477 .dump = nf_tables_dump_rules,
1479 return netlink_dump_start(nlsk, skb, nlh, &c);
1482 afi = nf_tables_afinfo_lookup(net, family, false);
1484 return PTR_ERR(afi);
1486 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1488 return PTR_ERR(table);
1490 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1492 return PTR_ERR(chain);
1494 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1496 return PTR_ERR(rule);
1498 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1502 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1503 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1504 family, table, chain, rule);
1508 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1515 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1517 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1518 struct nft_expr *expr;
1521 * Careful: some expressions might not be initialized in case this
1522 * is called on error from nf_tables_newrule().
1524 expr = nft_expr_first(rule);
1525 while (expr->ops && expr != nft_expr_last(rule)) {
1526 nf_tables_expr_destroy(expr);
1527 expr = nft_expr_next(expr);
1532 static void nf_tables_rule_destroy(struct nft_rule *rule)
1534 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1537 #define NFT_RULE_MAXEXPRS 128
1539 static struct nft_expr_info *info;
1541 static struct nft_rule_trans *
1542 nf_tables_trans_add(struct nft_rule *rule, const struct nft_ctx *ctx)
1544 struct nft_rule_trans *rupd;
1546 rupd = kmalloc(sizeof(struct nft_rule_trans), GFP_KERNEL);
1550 rupd->chain = ctx->chain;
1551 rupd->table = ctx->table;
1553 rupd->family = ctx->afi->family;
1554 rupd->nlh = ctx->nlh;
1555 list_add_tail(&rupd->list, &ctx->net->nft.commit_list);
1560 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1561 const struct nlmsghdr *nlh,
1562 const struct nlattr * const nla[])
1564 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1565 const struct nft_af_info *afi;
1566 struct net *net = sock_net(skb->sk);
1567 struct nft_table *table;
1568 struct nft_chain *chain;
1569 struct nft_rule *rule, *old_rule = NULL;
1570 struct nft_rule_trans *repl = NULL;
1571 struct nft_expr *expr;
1574 unsigned int size, i, n;
1577 u64 handle, pos_handle;
1579 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1581 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
1583 return PTR_ERR(afi);
1585 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1587 return PTR_ERR(table);
1589 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1591 return PTR_ERR(chain);
1593 if (nla[NFTA_RULE_HANDLE]) {
1594 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1595 rule = __nf_tables_rule_lookup(chain, handle);
1597 return PTR_ERR(rule);
1599 if (nlh->nlmsg_flags & NLM_F_EXCL)
1601 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1606 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1608 handle = nf_tables_alloc_handle(table);
1611 if (nla[NFTA_RULE_POSITION]) {
1612 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1615 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
1616 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
1617 if (IS_ERR(old_rule))
1618 return PTR_ERR(old_rule);
1621 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1625 if (nla[NFTA_RULE_EXPRESSIONS]) {
1626 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1628 if (nla_type(tmp) != NFTA_LIST_ELEM)
1630 if (n == NFT_RULE_MAXEXPRS)
1632 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
1635 size += info[n].ops->size;
1641 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1645 nft_rule_activate_next(net, rule);
1647 rule->handle = handle;
1650 expr = nft_expr_first(rule);
1651 for (i = 0; i < n; i++) {
1652 err = nf_tables_newexpr(&ctx, &info[i], expr);
1656 expr = nft_expr_next(expr);
1659 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1660 if (nft_rule_is_active_next(net, old_rule)) {
1661 repl = nf_tables_trans_add(old_rule, &ctx);
1666 nft_rule_disactivate_next(net, old_rule);
1667 list_add_tail(&rule->list, &old_rule->list);
1672 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1674 list_add_rcu(&rule->list, &old_rule->list);
1676 list_add_tail_rcu(&rule->list, &chain->rules);
1679 list_add_tail_rcu(&rule->list, &old_rule->list);
1681 list_add_rcu(&rule->list, &chain->rules);
1684 if (nf_tables_trans_add(rule, &ctx) == NULL) {
1691 list_del_rcu(&rule->list);
1693 list_del_rcu(&repl->rule->list);
1694 list_del(&repl->list);
1695 nft_rule_clear(net, repl->rule);
1699 nf_tables_rule_destroy(rule);
1701 for (i = 0; i < n; i++) {
1702 if (info[i].ops != NULL)
1703 module_put(info[i].ops->type->owner);
1709 nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
1711 /* You cannot delete the same rule twice */
1712 if (nft_rule_is_active_next(ctx->net, rule)) {
1713 if (nf_tables_trans_add(rule, ctx) == NULL)
1715 nft_rule_disactivate_next(ctx->net, rule);
1721 static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
1723 struct nft_rule *rule;
1726 list_for_each_entry(rule, &ctx->chain->rules, list) {
1727 err = nf_tables_delrule_one(ctx, rule);
1734 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1735 const struct nlmsghdr *nlh,
1736 const struct nlattr * const nla[])
1738 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1739 const struct nft_af_info *afi;
1740 struct net *net = sock_net(skb->sk);
1741 const struct nft_table *table;
1742 struct nft_chain *chain = NULL;
1743 struct nft_rule *rule;
1744 int family = nfmsg->nfgen_family, err = 0;
1747 afi = nf_tables_afinfo_lookup(net, family, false);
1749 return PTR_ERR(afi);
1751 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE]);
1753 return PTR_ERR(table);
1755 if (nla[NFTA_RULE_CHAIN]) {
1756 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1758 return PTR_ERR(chain);
1761 nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
1764 if (nla[NFTA_RULE_HANDLE]) {
1765 rule = nf_tables_rule_lookup(chain,
1766 nla[NFTA_RULE_HANDLE]);
1768 return PTR_ERR(rule);
1770 err = nf_tables_delrule_one(&ctx, rule);
1772 err = nf_table_delrule_by_chain(&ctx);
1775 list_for_each_entry(chain, &table->chains, list) {
1777 err = nf_table_delrule_by_chain(&ctx);
1786 static int nf_tables_commit(struct sk_buff *skb)
1788 struct net *net = sock_net(skb->sk);
1789 struct nft_rule_trans *rupd, *tmp;
1791 /* Bump generation counter, invalidate any dump in progress */
1794 /* A new generation has just started */
1795 net->nft.gencursor = gencursor_next(net);
1797 /* Make sure all packets have left the previous generation before
1798 * purging old rules.
1802 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1803 /* Delete this rule from the dirty list */
1804 list_del(&rupd->list);
1806 /* This rule was inactive in the past and just became active.
1807 * Clear the next bit of the genmask since its meaning has
1808 * changed, now it is the future.
1810 if (nft_rule_is_active(net, rupd->rule)) {
1811 nft_rule_clear(net, rupd->rule);
1812 nf_tables_rule_notify(skb, rupd->nlh, rupd->table,
1813 rupd->chain, rupd->rule,
1820 /* This rule is in the past, get rid of it */
1821 list_del_rcu(&rupd->rule->list);
1822 nf_tables_rule_notify(skb, rupd->nlh, rupd->table, rupd->chain,
1823 rupd->rule, NFT_MSG_DELRULE, 0,
1825 nf_tables_rule_destroy(rupd->rule);
1832 static int nf_tables_abort(struct sk_buff *skb)
1834 struct net *net = sock_net(skb->sk);
1835 struct nft_rule_trans *rupd, *tmp;
1837 list_for_each_entry_safe(rupd, tmp, &net->nft.commit_list, list) {
1838 /* Delete all rules from the dirty list */
1839 list_del(&rupd->list);
1841 if (!nft_rule_is_active_next(net, rupd->rule)) {
1842 nft_rule_clear(net, rupd->rule);
1847 /* This rule is inactive, get rid of it */
1848 list_del_rcu(&rupd->rule->list);
1849 nf_tables_rule_destroy(rupd->rule);
1859 static LIST_HEAD(nf_tables_set_ops);
1861 int nft_register_set(struct nft_set_ops *ops)
1863 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1864 list_add_tail(&ops->list, &nf_tables_set_ops);
1865 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1868 EXPORT_SYMBOL_GPL(nft_register_set);
1870 void nft_unregister_set(struct nft_set_ops *ops)
1872 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1873 list_del(&ops->list);
1874 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1876 EXPORT_SYMBOL_GPL(nft_unregister_set);
1878 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1880 const struct nft_set_ops *ops;
1883 #ifdef CONFIG_MODULES
1884 if (list_empty(&nf_tables_set_ops)) {
1885 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1886 request_module("nft-set");
1887 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1888 if (!list_empty(&nf_tables_set_ops))
1889 return ERR_PTR(-EAGAIN);
1893 if (nla[NFTA_SET_FLAGS] != NULL) {
1894 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1895 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1898 // FIXME: implement selection properly
1899 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1900 if ((ops->features & features) != features)
1902 if (!try_module_get(ops->owner))
1907 return ERR_PTR(-EOPNOTSUPP);
1910 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1911 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1912 [NFTA_SET_NAME] = { .type = NLA_STRING },
1913 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1914 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1915 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1916 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1917 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1920 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1921 const struct sk_buff *skb,
1922 const struct nlmsghdr *nlh,
1923 const struct nlattr * const nla[])
1925 struct net *net = sock_net(skb->sk);
1926 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1927 const struct nft_af_info *afi = NULL;
1928 const struct nft_table *table = NULL;
1930 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
1931 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
1933 return PTR_ERR(afi);
1936 if (nla[NFTA_SET_TABLE] != NULL) {
1937 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
1939 return PTR_ERR(table);
1942 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
1946 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1947 const struct nlattr *nla)
1949 struct nft_set *set;
1952 return ERR_PTR(-EINVAL);
1954 list_for_each_entry(set, &table->sets, list) {
1955 if (!nla_strcmp(nla, set->name))
1958 return ERR_PTR(-ENOENT);
1961 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1964 const struct nft_set *i;
1966 unsigned long *inuse;
1969 p = strnchr(name, IFNAMSIZ, '%');
1971 if (p[1] != 'd' || strchr(p + 2, '%'))
1974 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1978 list_for_each_entry(i, &ctx->table->sets, list) {
1981 if (!sscanf(i->name, name, &tmp))
1983 if (tmp < 0 || tmp > BITS_PER_LONG * PAGE_SIZE)
1986 set_bit(tmp, inuse);
1989 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1990 free_page((unsigned long)inuse);
1993 snprintf(set->name, sizeof(set->name), name, n);
1994 list_for_each_entry(i, &ctx->table->sets, list) {
1995 if (!strcmp(set->name, i->name))
2001 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2002 const struct nft_set *set, u16 event, u16 flags)
2004 struct nfgenmsg *nfmsg;
2005 struct nlmsghdr *nlh;
2006 u32 portid = NETLINK_CB(ctx->skb).portid;
2007 u32 seq = ctx->nlh->nlmsg_seq;
2009 event |= NFNL_SUBSYS_NFTABLES << 8;
2010 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2013 goto nla_put_failure;
2015 nfmsg = nlmsg_data(nlh);
2016 nfmsg->nfgen_family = ctx->afi->family;
2017 nfmsg->version = NFNETLINK_V0;
2020 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2021 goto nla_put_failure;
2022 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2023 goto nla_put_failure;
2024 if (set->flags != 0)
2025 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2026 goto nla_put_failure;
2028 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2029 goto nla_put_failure;
2030 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2031 goto nla_put_failure;
2032 if (set->flags & NFT_SET_MAP) {
2033 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2034 goto nla_put_failure;
2035 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2036 goto nla_put_failure;
2039 return nlmsg_end(skb, nlh);
2042 nlmsg_trim(skb, nlh);
2046 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2047 const struct nft_set *set,
2050 struct sk_buff *skb;
2051 u32 portid = NETLINK_CB(ctx->skb).portid;
2055 report = nlmsg_report(ctx->nlh);
2056 if (!report && !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2060 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2064 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2070 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, report,
2074 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2078 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
2079 struct netlink_callback *cb)
2081 const struct nft_set *set;
2082 unsigned int idx = 0, s_idx = cb->args[0];
2087 list_for_each_entry(set, &ctx->table->sets, list) {
2090 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2103 static int nf_tables_dump_sets_family(struct nft_ctx *ctx, struct sk_buff *skb,
2104 struct netlink_callback *cb)
2106 const struct nft_set *set;
2107 unsigned int idx = 0, s_idx = cb->args[0];
2108 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2113 list_for_each_entry(table, &ctx->afi->tables, list) {
2114 if (cur_table && cur_table != table)
2118 list_for_each_entry(set, &ctx->table->sets, list) {
2121 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
2124 cb->args[2] = (unsigned long) table;
2136 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
2137 struct netlink_callback *cb)
2139 const struct nft_set *set;
2140 unsigned int idx, s_idx = cb->args[0];
2141 const struct nft_af_info *afi;
2142 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2143 struct net *net = sock_net(skb->sk);
2144 int cur_family = cb->args[3];
2149 list_for_each_entry(afi, &net->nft.af_info, list) {
2151 if (afi->family != cur_family)
2157 list_for_each_entry(table, &afi->tables, list) {
2159 if (cur_table != table)
2168 list_for_each_entry(set, &ctx->table->sets, list) {
2171 if (nf_tables_fill_set(skb, ctx, set,
2175 cb->args[2] = (unsigned long) table;
2176 cb->args[3] = afi->family;
2191 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2193 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2194 struct nlattr *nla[NFTA_SET_MAX + 1];
2198 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
2203 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2207 if (ctx.table == NULL) {
2208 if (ctx.afi == NULL)
2209 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
2211 ret = nf_tables_dump_sets_family(&ctx, skb, cb);
2213 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
2218 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
2219 const struct nlmsghdr *nlh,
2220 const struct nlattr * const nla[])
2222 const struct nft_set *set;
2224 struct sk_buff *skb2;
2225 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2228 /* Verify existance before starting dump */
2229 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2233 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2234 struct netlink_dump_control c = {
2235 .dump = nf_tables_dump_sets,
2237 return netlink_dump_start(nlsk, skb, nlh, &c);
2240 /* Only accept unspec with dump */
2241 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2242 return -EAFNOSUPPORT;
2244 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2246 return PTR_ERR(set);
2248 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2252 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2256 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2263 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
2264 const struct nlmsghdr *nlh,
2265 const struct nlattr * const nla[])
2267 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2268 const struct nft_set_ops *ops;
2269 const struct nft_af_info *afi;
2270 struct net *net = sock_net(skb->sk);
2271 struct nft_table *table;
2272 struct nft_set *set;
2274 char name[IFNAMSIZ];
2277 u32 ktype, klen, dlen, dtype, flags;
2280 if (nla[NFTA_SET_TABLE] == NULL ||
2281 nla[NFTA_SET_NAME] == NULL ||
2282 nla[NFTA_SET_KEY_LEN] == NULL)
2285 ktype = NFT_DATA_VALUE;
2286 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2287 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2288 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2292 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2293 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
2297 if (nla[NFTA_SET_FLAGS] != NULL) {
2298 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2299 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2300 NFT_SET_INTERVAL | NFT_SET_MAP))
2306 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2307 if (!(flags & NFT_SET_MAP))
2310 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2311 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2312 dtype != NFT_DATA_VERDICT)
2315 if (dtype != NFT_DATA_VERDICT) {
2316 if (nla[NFTA_SET_DATA_LEN] == NULL)
2318 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2320 dlen > FIELD_SIZEOF(struct nft_data, data))
2323 dlen = sizeof(struct nft_data);
2324 } else if (flags & NFT_SET_MAP)
2327 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2329 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2331 return PTR_ERR(afi);
2333 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE]);
2335 return PTR_ERR(table);
2337 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
2339 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
2341 if (PTR_ERR(set) != -ENOENT)
2342 return PTR_ERR(set);
2347 if (nlh->nlmsg_flags & NLM_F_EXCL)
2349 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2354 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2357 ops = nft_select_set_ops(nla);
2359 return PTR_ERR(ops);
2362 if (ops->privsize != NULL)
2363 size = ops->privsize(nla);
2366 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
2370 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2371 err = nf_tables_set_alloc_name(&ctx, set, name);
2375 INIT_LIST_HEAD(&set->bindings);
2383 err = ops->init(set, nla);
2387 list_add_tail(&set->list, &table->sets);
2388 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
2394 module_put(ops->owner);
2398 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2400 list_del(&set->list);
2401 if (!(set->flags & NFT_SET_ANONYMOUS))
2402 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
2404 set->ops->destroy(set);
2405 module_put(set->ops->owner);
2409 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
2410 const struct nlmsghdr *nlh,
2411 const struct nlattr * const nla[])
2413 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2414 struct nft_set *set;
2418 if (nla[NFTA_SET_TABLE] == NULL)
2421 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
2425 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2426 return -EAFNOSUPPORT;
2428 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
2430 return PTR_ERR(set);
2431 if (!list_empty(&set->bindings))
2434 nf_tables_set_destroy(&ctx, set);
2438 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
2439 const struct nft_set *set,
2440 const struct nft_set_iter *iter,
2441 const struct nft_set_elem *elem)
2443 enum nft_registers dreg;
2445 dreg = nft_type_to_reg(set->dtype);
2446 return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
2449 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2450 struct nft_set_binding *binding)
2452 struct nft_set_binding *i;
2453 struct nft_set_iter iter;
2455 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2458 if (set->flags & NFT_SET_MAP) {
2459 /* If the set is already bound to the same chain all
2460 * jumps are already validated for that chain.
2462 list_for_each_entry(i, &set->bindings, list) {
2463 if (i->chain == binding->chain)
2470 iter.fn = nf_tables_bind_check_setelem;
2472 set->ops->walk(ctx, set, &iter);
2474 /* Destroy anonymous sets if binding fails */
2475 if (set->flags & NFT_SET_ANONYMOUS)
2476 nf_tables_set_destroy(ctx, set);
2482 binding->chain = ctx->chain;
2483 list_add_tail(&binding->list, &set->bindings);
2487 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2488 struct nft_set_binding *binding)
2490 list_del(&binding->list);
2492 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
2493 nf_tables_set_destroy(ctx, set);
2500 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
2501 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
2502 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
2503 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
2506 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
2507 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
2508 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
2509 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
2512 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
2513 const struct sk_buff *skb,
2514 const struct nlmsghdr *nlh,
2515 const struct nlattr * const nla[])
2517 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2518 const struct nft_af_info *afi;
2519 const struct nft_table *table;
2520 struct net *net = sock_net(skb->sk);
2522 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2524 return PTR_ERR(afi);
2526 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE]);
2528 return PTR_ERR(table);
2530 nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
2534 static int nf_tables_fill_setelem(struct sk_buff *skb,
2535 const struct nft_set *set,
2536 const struct nft_set_elem *elem)
2538 unsigned char *b = skb_tail_pointer(skb);
2539 struct nlattr *nest;
2541 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2543 goto nla_put_failure;
2545 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2547 goto nla_put_failure;
2549 if (set->flags & NFT_SET_MAP &&
2550 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2551 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2552 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2554 goto nla_put_failure;
2556 if (elem->flags != 0)
2557 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2558 goto nla_put_failure;
2560 nla_nest_end(skb, nest);
2568 struct nft_set_dump_args {
2569 const struct netlink_callback *cb;
2570 struct nft_set_iter iter;
2571 struct sk_buff *skb;
2574 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2575 const struct nft_set *set,
2576 const struct nft_set_iter *iter,
2577 const struct nft_set_elem *elem)
2579 struct nft_set_dump_args *args;
2581 args = container_of(iter, struct nft_set_dump_args, iter);
2582 return nf_tables_fill_setelem(args->skb, set, elem);
2585 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2587 const struct nft_set *set;
2588 struct nft_set_dump_args args;
2590 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2591 struct nfgenmsg *nfmsg;
2592 struct nlmsghdr *nlh;
2593 struct nlattr *nest;
2597 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
2598 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
2602 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2606 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2608 return PTR_ERR(set);
2610 event = NFT_MSG_NEWSETELEM;
2611 event |= NFNL_SUBSYS_NFTABLES << 8;
2612 portid = NETLINK_CB(cb->skb).portid;
2613 seq = cb->nlh->nlmsg_seq;
2615 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2618 goto nla_put_failure;
2620 nfmsg = nlmsg_data(nlh);
2621 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2622 nfmsg->version = NFNETLINK_V0;
2625 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2626 goto nla_put_failure;
2627 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2628 goto nla_put_failure;
2630 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2632 goto nla_put_failure;
2636 args.iter.skip = cb->args[0];
2637 args.iter.count = 0;
2639 args.iter.fn = nf_tables_dump_setelem;
2640 set->ops->walk(&ctx, set, &args.iter);
2642 nla_nest_end(skb, nest);
2643 nlmsg_end(skb, nlh);
2645 if (args.iter.err && args.iter.err != -EMSGSIZE)
2646 return args.iter.err;
2647 if (args.iter.count == cb->args[0])
2650 cb->args[0] = args.iter.count;
2657 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2658 const struct nlmsghdr *nlh,
2659 const struct nlattr * const nla[])
2661 const struct nft_set *set;
2665 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2669 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2671 return PTR_ERR(set);
2673 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2674 struct netlink_dump_control c = {
2675 .dump = nf_tables_dump_set,
2677 return netlink_dump_start(nlsk, skb, nlh, &c);
2682 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2683 const struct nlattr *attr)
2685 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2686 struct nft_data_desc d1, d2;
2687 struct nft_set_elem elem;
2688 struct nft_set_binding *binding;
2689 enum nft_registers dreg;
2692 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2693 nft_set_elem_policy);
2697 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2701 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2702 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2703 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2707 if (set->flags & NFT_SET_MAP) {
2708 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2709 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2712 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2716 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2720 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2724 if (set->ops->get(set, &elem) == 0)
2727 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2728 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2733 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2736 dreg = nft_type_to_reg(set->dtype);
2737 list_for_each_entry(binding, &set->bindings, list) {
2738 struct nft_ctx bind_ctx = {
2740 .table = ctx->table,
2741 .chain = binding->chain,
2744 err = nft_validate_data_load(&bind_ctx, dreg,
2745 &elem.data, d2.type);
2751 err = set->ops->insert(set, &elem);
2758 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2759 nft_data_uninit(&elem.data, d2.type);
2761 nft_data_uninit(&elem.key, d1.type);
2766 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2767 const struct nlmsghdr *nlh,
2768 const struct nlattr * const nla[])
2770 const struct nlattr *attr;
2771 struct nft_set *set;
2775 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2779 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2781 return PTR_ERR(set);
2782 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2785 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2786 err = nft_add_set_elem(&ctx, set, attr);
2793 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2794 const struct nlattr *attr)
2796 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2797 struct nft_data_desc desc;
2798 struct nft_set_elem elem;
2801 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2802 nft_set_elem_policy);
2807 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2810 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2815 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2818 err = set->ops->get(set, &elem);
2822 set->ops->remove(set, &elem);
2824 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2825 if (set->flags & NFT_SET_MAP)
2826 nft_data_uninit(&elem.data, set->dtype);
2829 nft_data_uninit(&elem.key, desc.type);
2834 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2835 const struct nlmsghdr *nlh,
2836 const struct nlattr * const nla[])
2838 const struct nlattr *attr;
2839 struct nft_set *set;
2843 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2847 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2849 return PTR_ERR(set);
2850 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2853 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2854 err = nft_del_setelem(&ctx, set, attr);
2861 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2862 [NFT_MSG_NEWTABLE] = {
2863 .call = nf_tables_newtable,
2864 .attr_count = NFTA_TABLE_MAX,
2865 .policy = nft_table_policy,
2867 [NFT_MSG_GETTABLE] = {
2868 .call = nf_tables_gettable,
2869 .attr_count = NFTA_TABLE_MAX,
2870 .policy = nft_table_policy,
2872 [NFT_MSG_DELTABLE] = {
2873 .call = nf_tables_deltable,
2874 .attr_count = NFTA_TABLE_MAX,
2875 .policy = nft_table_policy,
2877 [NFT_MSG_NEWCHAIN] = {
2878 .call = nf_tables_newchain,
2879 .attr_count = NFTA_CHAIN_MAX,
2880 .policy = nft_chain_policy,
2882 [NFT_MSG_GETCHAIN] = {
2883 .call = nf_tables_getchain,
2884 .attr_count = NFTA_CHAIN_MAX,
2885 .policy = nft_chain_policy,
2887 [NFT_MSG_DELCHAIN] = {
2888 .call = nf_tables_delchain,
2889 .attr_count = NFTA_CHAIN_MAX,
2890 .policy = nft_chain_policy,
2892 [NFT_MSG_NEWRULE] = {
2893 .call_batch = nf_tables_newrule,
2894 .attr_count = NFTA_RULE_MAX,
2895 .policy = nft_rule_policy,
2897 [NFT_MSG_GETRULE] = {
2898 .call = nf_tables_getrule,
2899 .attr_count = NFTA_RULE_MAX,
2900 .policy = nft_rule_policy,
2902 [NFT_MSG_DELRULE] = {
2903 .call_batch = nf_tables_delrule,
2904 .attr_count = NFTA_RULE_MAX,
2905 .policy = nft_rule_policy,
2907 [NFT_MSG_NEWSET] = {
2908 .call = nf_tables_newset,
2909 .attr_count = NFTA_SET_MAX,
2910 .policy = nft_set_policy,
2912 [NFT_MSG_GETSET] = {
2913 .call = nf_tables_getset,
2914 .attr_count = NFTA_SET_MAX,
2915 .policy = nft_set_policy,
2917 [NFT_MSG_DELSET] = {
2918 .call = nf_tables_delset,
2919 .attr_count = NFTA_SET_MAX,
2920 .policy = nft_set_policy,
2922 [NFT_MSG_NEWSETELEM] = {
2923 .call = nf_tables_newsetelem,
2924 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2925 .policy = nft_set_elem_list_policy,
2927 [NFT_MSG_GETSETELEM] = {
2928 .call = nf_tables_getsetelem,
2929 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2930 .policy = nft_set_elem_list_policy,
2932 [NFT_MSG_DELSETELEM] = {
2933 .call = nf_tables_delsetelem,
2934 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2935 .policy = nft_set_elem_list_policy,
2939 static const struct nfnetlink_subsystem nf_tables_subsys = {
2940 .name = "nf_tables",
2941 .subsys_id = NFNL_SUBSYS_NFTABLES,
2942 .cb_count = NFT_MSG_MAX,
2944 .commit = nf_tables_commit,
2945 .abort = nf_tables_abort,
2949 * Loop detection - walk through the ruleset beginning at the destination chain
2950 * of a new jump until either the source chain is reached (loop) or all
2951 * reachable chains have been traversed.
2953 * The loop check is performed whenever a new jump verdict is added to an
2954 * expression or verdict map or a verdict map is bound to a new chain.
2957 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2958 const struct nft_chain *chain);
2960 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2961 const struct nft_set *set,
2962 const struct nft_set_iter *iter,
2963 const struct nft_set_elem *elem)
2965 switch (elem->data.verdict) {
2968 return nf_tables_check_loops(ctx, elem->data.chain);
2974 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2975 const struct nft_chain *chain)
2977 const struct nft_rule *rule;
2978 const struct nft_expr *expr, *last;
2979 const struct nft_set *set;
2980 struct nft_set_binding *binding;
2981 struct nft_set_iter iter;
2983 if (ctx->chain == chain)
2986 list_for_each_entry(rule, &chain->rules, list) {
2987 nft_rule_for_each_expr(expr, last, rule) {
2988 const struct nft_data *data = NULL;
2991 if (!expr->ops->validate)
2994 err = expr->ops->validate(ctx, expr, &data);
3001 switch (data->verdict) {
3004 err = nf_tables_check_loops(ctx, data->chain);
3013 list_for_each_entry(set, &ctx->table->sets, list) {
3014 if (!(set->flags & NFT_SET_MAP) ||
3015 set->dtype != NFT_DATA_VERDICT)
3018 list_for_each_entry(binding, &set->bindings, list) {
3019 if (binding->chain != chain)
3025 iter.fn = nf_tables_loop_check_setelem;
3027 set->ops->walk(ctx, set, &iter);
3037 * nft_validate_input_register - validate an expressions' input register
3039 * @reg: the register number
3041 * Validate that the input register is one of the general purpose
3044 int nft_validate_input_register(enum nft_registers reg)
3046 if (reg <= NFT_REG_VERDICT)
3048 if (reg > NFT_REG_MAX)
3052 EXPORT_SYMBOL_GPL(nft_validate_input_register);
3055 * nft_validate_output_register - validate an expressions' output register
3057 * @reg: the register number
3059 * Validate that the output register is one of the general purpose
3060 * registers or the verdict register.
3062 int nft_validate_output_register(enum nft_registers reg)
3064 if (reg < NFT_REG_VERDICT)
3066 if (reg > NFT_REG_MAX)
3070 EXPORT_SYMBOL_GPL(nft_validate_output_register);
3073 * nft_validate_data_load - validate an expressions' data load
3075 * @ctx: context of the expression performing the load
3076 * @reg: the destination register number
3077 * @data: the data to load
3078 * @type: the data type
3080 * Validate that a data load uses the appropriate data type for
3081 * the destination register. A value of NULL for the data means
3082 * that its runtime gathered data, which is always of type
3085 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
3086 const struct nft_data *data,
3087 enum nft_data_types type)
3092 case NFT_REG_VERDICT:
3093 if (data == NULL || type != NFT_DATA_VERDICT)
3096 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
3097 err = nf_tables_check_loops(ctx, data->chain);
3101 if (ctx->chain->level + 1 > data->chain->level) {
3102 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
3104 data->chain->level = ctx->chain->level + 1;
3110 if (data != NULL && type != NFT_DATA_VALUE)
3115 EXPORT_SYMBOL_GPL(nft_validate_data_load);
3117 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
3118 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
3119 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
3120 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3123 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
3124 struct nft_data_desc *desc, const struct nlattr *nla)
3126 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
3127 struct nft_chain *chain;
3130 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
3134 if (!tb[NFTA_VERDICT_CODE])
3136 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
3138 switch (data->verdict) {
3145 desc->len = sizeof(data->verdict);
3149 if (!tb[NFTA_VERDICT_CHAIN])
3151 chain = nf_tables_chain_lookup(ctx->table,
3152 tb[NFTA_VERDICT_CHAIN]);
3154 return PTR_ERR(chain);
3155 if (chain->flags & NFT_BASE_CHAIN)
3159 data->chain = chain;
3160 desc->len = sizeof(data);
3166 desc->type = NFT_DATA_VERDICT;
3170 static void nft_verdict_uninit(const struct nft_data *data)
3172 switch (data->verdict) {
3180 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
3182 struct nlattr *nest;
3184 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
3186 goto nla_put_failure;
3188 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
3189 goto nla_put_failure;
3191 switch (data->verdict) {
3194 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
3195 goto nla_put_failure;
3197 nla_nest_end(skb, nest);
3204 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
3205 struct nft_data_desc *desc, const struct nlattr *nla)
3212 if (len > sizeof(data->data))
3215 nla_memcpy(data->data, nla, sizeof(data->data));
3216 desc->type = NFT_DATA_VALUE;
3221 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
3224 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
3227 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
3228 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
3229 .len = FIELD_SIZEOF(struct nft_data, data) },
3230 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
3234 * nft_data_init - parse nf_tables data netlink attributes
3236 * @ctx: context of the expression using the data
3237 * @data: destination struct nft_data
3238 * @desc: data description
3239 * @nla: netlink attribute containing data
3241 * Parse the netlink data attributes and initialize a struct nft_data.
3242 * The type and length of data are returned in the data description.
3244 * The caller can indicate that it only wants to accept data of type
3245 * NFT_DATA_VALUE by passing NULL for the ctx argument.
3247 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
3248 struct nft_data_desc *desc, const struct nlattr *nla)
3250 struct nlattr *tb[NFTA_DATA_MAX + 1];
3253 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
3257 if (tb[NFTA_DATA_VALUE])
3258 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
3259 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
3260 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
3263 EXPORT_SYMBOL_GPL(nft_data_init);
3266 * nft_data_uninit - release a nft_data item
3268 * @data: struct nft_data to release
3269 * @type: type of data
3271 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
3272 * all others need to be released by calling this function.
3274 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
3277 case NFT_DATA_VALUE:
3279 case NFT_DATA_VERDICT:
3280 return nft_verdict_uninit(data);
3285 EXPORT_SYMBOL_GPL(nft_data_uninit);
3287 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
3288 enum nft_data_types type, unsigned int len)
3290 struct nlattr *nest;
3293 nest = nla_nest_start(skb, attr);
3298 case NFT_DATA_VALUE:
3299 err = nft_value_dump(skb, data, len);
3301 case NFT_DATA_VERDICT:
3302 err = nft_verdict_dump(skb, data);
3309 nla_nest_end(skb, nest);
3312 EXPORT_SYMBOL_GPL(nft_data_dump);
3314 static int nf_tables_init_net(struct net *net)
3316 INIT_LIST_HEAD(&net->nft.af_info);
3317 INIT_LIST_HEAD(&net->nft.commit_list);
3321 static struct pernet_operations nf_tables_net_ops = {
3322 .init = nf_tables_init_net,
3325 static int __init nf_tables_module_init(void)
3329 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
3336 err = nf_tables_core_module_init();
3340 err = nfnetlink_subsys_register(&nf_tables_subsys);
3344 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
3345 return register_pernet_subsys(&nf_tables_net_ops);
3347 nf_tables_core_module_exit();
3354 static void __exit nf_tables_module_exit(void)
3356 unregister_pernet_subsys(&nf_tables_net_ops);
3357 nfnetlink_subsys_unregister(&nf_tables_subsys);
3358 nf_tables_core_module_exit();
3362 module_init(nf_tables_module_init);
3363 module_exit(nf_tables_module_exit);
3365 MODULE_LICENSE("GPL");
3366 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
3367 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
projects / ~andy / linux / blob